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Introduction 


Ponemon Institute is pleased to present the results from the global survey of IT and IT security 
professionals in a wide array of industries, ranging from small companies (SMBs) to enterprise- 
sized organizations. This is our fifth year of surveying IT professionals in North America, our 
third year of surveying Europe and Asia-Pacific, and second year of surveying Latin-America. 
This year we have expanded our research in the APAC region to include Japan and Taiwan. 
Survey findings were used to create a comprehensive index that attempts to measure 
companies’ readiness to respond to a plethora of cyber-attacks. The index consists of two 
component parts: (1) preparedness and (2) threat environment. 


In the context of this research, we define cybersecurity posture as the implementation of 
prevention, detection and response capabilities to manage, mitigate and recover from 
cyberattacks. It refers to an enterprise’s capacity to maintain its core purpose and integrity in 
the face of cyberattacks. In essence, an enterprise with a strong cybersecurity posture is one 
that can prevent, detect, contain and recover from a myriad of serious threats against data, 
applications and IT infrastructure. 


A total of 3,441 respondents were surveyed, which represented a 4.4 response rate from a 
proprietary sampling frame of 78,667 targeted individuals.' Two hundred and thirty-four 
completed surveys were removed from the final sample because of failed reliability. 

















ba vee anoh o | Europe | APAC | LATAM | Global Pct% 
Total sampling frame 22,830 18,865 20,073 16,899 78,667 100% 
Total returns 1,039 938 947 751 3,675 4.7% 
Rejected surveys 59 52 72 51 234 0.3% 
Final sample 980 886 875 700 3,441 4.4% 





























As shown in Figure 1, 72 percent of respondents say they are very familiar (36 percent) or 
familiar (36 percent), with their organization’s approach to information security. 


Figure 1. How familiar are you with your organization’s approach to information security? 
Sample size n = 3,441 
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1Ponemon Institute has built and maintains a sampling frame that represents the known population of individuals 
who are IT or IT security practitioners. 


Thirty-four percent of respondents were from companies with fewer than 100 individuals. 
Another 37 percent were from companies with a headcount of 100 to 999 employees, and the 
remaining 29 percent were in larger-sized companies with 1,000 of more employees. 


Figure 2. Worldwide headcount of respondent’s organization 
Sample size n = 3,441 

100% 
90% 
80% 
70% 
60% 
50% 
40% 
30% 
20% 
10% 
0% 


North America Europe APAC LATAM Global 
mLessthan100 #100to999 =More than 1,000 


Figure 3 reports 72 percent of respondents who say they have full responsibility (85 percent) or 
some responsibility (37 percent) for their organization’s security activities and investments. 
Twenty-eight percent say they have minimal responsibility. 


Figure 3. Do you have any responsibility for directing security activities and investments 
in your organization? 
Sample size n = 3,441 
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Figure 4 shows the respondents’ position level. Twenty-two percent of the sample consists of 
individuals who are IT technicians (e.g., rank-and-file employees). Another 21 percent are 
managers, 15 percent are supervisors and 13 percent are directors. A total of 14 percent are at 
the senior executive level and vice president level. 


Figure 4. What organizational level best describes your current position? 
Sample size n = 3,441 


m Senior Executive 
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Figure 5 shows the respondents’ direct reporting line (e.g., chain of command). Twenty-one 
percent of respondents consists of individuals who report to the organization’s chief information 
officer. Another 15 percent of respondents report to the chief information security officer, 14 
percent of respondents report to the chief technology officer and 14 percent of respondents 
report to the general management/line of business. 


Figure 5. Primary person you or your supervisor reports to within the organization. 
Sample size n = 3,441 

m Chief Information Officer 

m Chief Information Security Officer 
m Chief Technology Officer 

m General Manager/Lines of Business 
m Compliance Officer 
mCEO/Executive Committee 

m Chief Security Officer 
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m Data Center Management 

m Chief Financial Officer 

m General Counsel 

m Chief Risk Officer 
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Figure 6 reports the respondents’ primary industry classification or focus, which includes 15 
vertical sectors. As can be seen, the largest sector is financial services (13 percent of 
respondents), which includes banking, investment management, insurance, brokerage, 
payments and credit cards. This is followed by public sector (10 percent of respondents), 
industrial/manufacturing (10 percent of respondents), services (9 percent of respondents), 
health and pharmaceuticals (9 percent of respondents). Smaller verticals include technology 
and software, energy and utilities, and retail (each at 8 percent of respondents). Retail includes 
both internet and brick-and-mortar companies. Services includes professional firms, as well as 
general service companies (such as construction, real estate and others). 


Figure 6. What industry best describes your organization’s industry focus? 
Sample size n = 3,441 
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Calculating the Cyber Risk Index 


The following table summarizes the Cyber Risk Index computed from benchmark survey samples in North 


America, Europe, Asia-Pacific and Latin America countries. 


Ponemen 


INSTITUTE 



































r North 
Table 2. Cybersecurity Index | America | Europe | APAC | LATAM | Global 
Preparedness 5.35 5.10 5.35 4.94 5.18 
Threat 5.36 5.25 5.15 5.14 5.22 
Cybersecurity Index 





As shown, the CRI is composed of two independent indices — namely, the cyber preparedness index and the 
cyber threat index. The preparedness index represents an organization’s readiness to defend against 
cyberattacks. The cyber threat index represents the state of the threat landscape at the time the CRI was 
calculated. 


The CRI is calculated by subtracting the Cyber Threat Index from the Cyber Preparedness Index. The scale 
is +10 to -10. The theoretical mean and median are zero and negative 10 is the upper sample limit, which 
suggests trending to maximum cyber risk. 


As can be seen, the North America survey compiled in FY2022 produced a net negative CRI (-0.01). 
Respondents in Europe and LATAM also produced a net negative CRI of -0.15 and -0.19, respectively. This 
suggests a threat landscape that presents increasing cyber risk in North America, Europe and LATAM. The 
survey results for Asia-pacific shows a net positive CRI (0.20) indicating a better preparedness in dealing 
with cyber threats. 
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Part 2. Preparedness Index 


Table 3 provides 31 statements (a.k.a. attributions) used to determine a company’s preparedness 
or its ability to deal with cyber exploits and breach incidents. This list of attributions was compiled 
from Ponemon Institute research conducted over several years that examine the security posture 
of companies. 


Each attribution is rated using the following adjective scale. 








Strongly disagree Disagree Unsure Agree Strongly agree 




















Table 3. Attributions used to determine how prepared are you to respond to cyber attacks 





Q1. My organization’s security budget is sufficient to protect data assets and IT infrastructure. 





Q2. My organization’s IT security personnel have sufficient knowledge, skill and expertise to protect data assets 
and IT infrastructure. 





Q3. My organization’s C-level executives view IT security as a top business priority. 





Q4. My organization’s IT security leader reports to senior leadership (Such as the CEO, COO or CIO). 





Q5. My organization’s CEO and Board of Directors are actively involved in overseeing the IT security function. 





Q6. My organization’s senior leadership views security as a competitive advantage. 





Q7. My organization’s IT security leader (CISO) has sufficient authority and resources to achieve a strong 
security posture. 





Q8. My organization makes appropriate investments in leading-edged security technologies such as machine 
learning, automation, orchestration, analytics and/or artificial intelligence tools. 





Q9. My organization is actively involved in threat sharing with other companies and government. 





Q10. My organization spends considerable resources evaluating third-party security risks (including the cloud 
and the entire supply chain). 





Q11. My organization spends considerable resources to recruit and retain IT security personnel. 





Q12. My organization spends considerable resources educating employees about security requirements 





Q13. My organization’s enabling security technologies are sufficient to protect data assets and IT infrastructure. 





Q14. My organization is well prepared to deal with data breaches and cybersecurity exploits. 





Q15. My organization’s IT security objectives are aligned with business objectives. 





Q16. My organization’s IT security function supports security in the DevOps environment. 





Q17. My organization’s IT security function supports security in the DR and BCM environment. 





Q18. My organization’s IT security function complies with data protection and privacy requirements. 





Q19. My organization’s IT security function is able to prevent most cyber attacks. 





Q20. My organization’s IT security function is able to detect most cyber attacks. 





Q21. My organization’s IT security function is able to contain most cyber attacks. 





Q22. My organization’s IT security function is able to detect zero-day attacks. 





Q23. My organization’s IT security architecture has high interoperability, scalability and agility. 





Q24. My organization’s IT security function is quick to test and install all security patches. 





Q25. My organization’s IT security function conducts assessments and/or audits to identify threats, 
vulnerabilities and attacks. 





Q26. My organization’s IT security function conducts assessments and/or audits to determine compliance to 
security policies, standard operating procedures and external requirements. 





Q27. My organization’s IT security function strictly enforces acts of non-compliance to security policies, standard 
operating procedures and external requirements. 





Q28. My organization’s IT security function is involved in determining the acceptable use of disruptive 
technologies (such as mobile, cloud, social media, loT devices) in the workplace. 





Q29. My organization’s IT security function has the ability to know the physical location of business-critical data 
assets and applications. 





Q30. My organization’s IT security function has the ability to unleash countermeasures (such as honeypots) to 
gain intelligence about the attacker. 








Q31. My organization’s IT security function has evolved over time in response to changing attacks and attack 
patterns (e.g., vectors). 
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Scoring the Preparedness Index: Each attribution is equally weighted and scored using the 


following heuristic: 


Strongly agree = 10 points 
Agree = 7.5 points 

Unsure = 5 points 

Disagree = 2.5 points 
Strongly disagree = 0 points. 


+++++ 


The average of all 31 scored attributions is a numerical value between 0 and 10 points, with a 
theoretical mean of 5 points. An average value above 5 points indicates preparedness, while 
a value at or below 5 points indicates the opposite. Following are the ranges and color coding 


used for interpreting the results: 





Range Color flag Interpretation 











7.6 to 10 points Very favorable, unambiguous results 








5.1 to 7.5 points Favorable, with mixed results 








2.6 to 5.0 points Unfavorable, with mixed results 











0 to 2.5 points Not prepared, unambiguous results 
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Part 3. Threat Index 

The threat index requires the completion of 10 items (or sections) relating to the actual 
experiences of companies over the past 12 months. Each section is equally weighted. Following 
are the specific questions used to compile the threat index. 


Table 4 shows the first six questions that are scored using a five-point numeric scale. 





Table 4. Recent history of cyber exploits and breaches 


Q1. How many separate data breach incidents involving the loss or theft of customer records did your 
organization experience over the past 12 months? 








Q2. How many separate data breach incidents involving the leakage of information assets did your 
organization experience over the past 12 months? 





Q3. How many separate cyber attacks that infiltrated your organization’s networks and/or enterprise 
systems did your organization experience over the past 12 months? 





Q4. What is the likelihood that your organization will experience a data breach of customer records 
within the next 12 months? 





Q5. What is the likelihood that your organization will experience a data breach involving the leakage of 
information assets (e.g., intellectual property) within the next 12 months? 





Q6. What is the likelihood that your organization will experience one or more cyber attacks that have 
infiltrated your networks or enterprise systems within the next 12 months? 











Table 5 shows Q7, which is a list of 13 data types from a risk perspective (rated using a 5-point 
adjective scale from very high to very low). 





Table 5. Data types that increase cyber risk 


Q7. Following are data types that may be at risk of loss or theft within your organization. Please rate 
each data type using the following 5-point risk scale: Very high risk (10), high risk (7.5), moderate risk 
(5.0), low risk (2.5) and very low risk (0). 


Analytics (data models) 








Attorney-client privileged information 





Business communication (email) 





Company-confidential information 





Consumer data 





Customer accounts 





Financial information 





Human resource (employee) files 





Operational information 





Product/market information 





R&D information 





Source code 





Trade secrets 
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Table 6 shows Q8, which is a list of 19 cyber threats from a risk perspective (rated using a 5-point 
adjective scale from very likely to no chance). 





Table 6. Cyber threats that increase cyber risk 


Q8. Following are cyber threats that may be experienced by your organization within the next 12 months. 
Please rate each threat using the following 5-point likelinood scale: Very likely (10), likely (7.5), somewhat 
likely (5), not likely (2.5) and no chance (0). 





Advanced malware 





Advanced persistent threats (APT) 





Botnets 





Clickjacking 





Cross-site scripting 





Denial of service (DoS) 





DNS-based attacks 





Fileless attack 





Login attacks 





Malicious insiders 





Man-in-the-middle attack 





Phishing and social engineering 





Ransomware 





Registration spamming 





Root kits 





Server side injection (SSI) 





SQL and code injection 





Watering hole attacks 








Web scrapping 





Table 7 shows Q9, which is a list of 9 negative consequences that arise from cyber threats (rated 
using a 5-point adjective scale from very likely to no chance). 





Table 7. Negative consequences of cyber threats 


Q9. Following are negative consequences that your organization may experience as a result of a cyber 
attack or breach within the next 12 months. Please rate each negative consequence using the following 
5- point likelihood scale: Very likely (10), likely (7.5), somewhat likely (5), not likely (2.5) and no chance 
(0). 


Lost revenues 








Lost intellectual property (including trade secrets) 





Stolen or damaged equipment 





Disruption or damages to critical infrastructure 





Productivity decline 





Regulatory actions or lawsuits 





Reputation or brand damage 





Customer turnover 








Cost of outside consultants and experts 
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Table 8 shows Q10, which is a list of 16 areas of the IT infrastructure from a risk perspective 
(rated using a 5-point adjective scale from very high to very low). 





Table 8. Areas of the IT infrastructure that increase cyber risk 


Q10. Following are 16 areas that may present security risks within your IT infrastructure today. Please rate 
each area using the following 5-point risk scale: Very high risk (10), high risk (7.5), moderate risk (5), low 
risk 

(2.5) and very low risk (0). 





DNS server environment 





Data centers 





Within operating systems 





Across 3" party applications 





Desktop or laptop computers 





Mobile devices such as smart phones 





loT devices and applications 





Network infrastructure environment (gateway to endpoint) 





Malicious insiders 





Negligent insiders 





Shortage of qualified personnel 





Cloud computing infrastructure and providers 





Virtual computing environments (servers, endpoints) 





Mobile/remote employees 





Lack of system connectivity/visibility 





Organizational misalignment and complexity 











Scoring the threat Index: Each one of the 10 items/questions are equally weighted and scored 
using the following heuristics: 









































Q1, Q2, Q3 Q4, Q5, Q6 Q7 Q8 a9 Q10 
Score Number of Likelihood of Risk Likelihood of | Likelihood of Risk 
incidents occurrence occurrence occurrence 

0 None No chance Very low No chance No chance Very low 

2.5 1to2 Not likely Low Not likely Not likely Low 
5 3to6 somewhat Moderate Somewhat Somewhat Moderate 

likely likely likely 

7.5 7to 10 Likely High Likely Likely High 

10 More than 10 Very likely Very high Very likely Very likely Very high 











The average of all 10 scored questions is a numerical value between 0 and 10, with a theoretical 
mean of 5 points. An average value above 5 points indicates a high cyber threat environment, 
and a value at or below 5 points indicates the opposite. Following are the ranges used for 
interpreting results: 





Range Color flag Interpretation 











7.6 to 10 points Not prepared, unambiguous results 








5.1 to 7.5 points Unfavorable, with mixed results 








2.6 to 5.0 points Favorable, with mixed results 








0 to 2.5 points Very favorable, unambiguous results 
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Combined scoring 


Both the preparedness and threat index utilize a 0 to 10 point scale.? Hence, individuated scores 
can be combined, with the following potential outcomes: 








Unfavorable threat Favorable threat 
index at or above 5 index below 5 
Favorable 
preparedness index Not logical Logical 
above 5 





Unfavorable 
preparedness index Logical Not logical 
at or below 5 











The above matrix shows logical and illogical results for the combined score. 


+ Worse case combined score is -10: that is, an unfavorable preparedness score (0) and an 
unfavorable threat index (10) = [0 — 10] 


+ Best case combined score is +10: that is, a favorable preparedness score (10) anda 
favorable threat index (0) = [10 — 0] 


Our hypothesis is that a high unfavorable threat index score (above 5 points) will be correlated to 
a low preparedness score (at or below 5 points). In contrast, a high level of preparedness will 
moderate the impact of cyber threats (therein a lower combined score). 


Part 4. Caveats 


Both the preparedness and threat index are based on survey results. There are inherent 
limitations to survey research that need to be carefully considered before drawing inferences from 
findings. The following items are specific limitations that are germane to most surveys. 


+ Non-response bias: The current findings are based on a sample of survey returns. We sent 
surveys to a representative sample of individuals, resulting in a large 3,441 usable returned 
responses. Despite non-response tests, it is always possible that individuals who did not 
participate are substantially different in terms of underlying beliefs from those who completed 
the instrument. 


+ Sampling-frame bias: The accuracy is based on contact information and the degree to which 
the list is representative of individuals who are IT or IT security practitioners. We also 
acknowledge that the results may be biased by external events such as media coverage. 
Finally, because we used a Web-based collection method, it is possible that non-Web 
responses by mailed survey or telephone call would result in a different pattern of findings. 


+ Self-reported results: The quality of survey research is based on the integrity of confidential 
responses received from subjects. While certain checks and balances can be incorporated 
into the survey process, there is always the possibility that a subject did not provide accurate 





2The combined preparedness and threat index should be inversely correlated, thus the potential range of the combined 
index is -10 to +10 with a theoretical mean of 0. 
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For more information about this study, please contact Ponemon Institute by sending an 
email to research@ponemon.org or calling us at 1.800.887.3118. 








Ponemon Institute 
Aavancing Responsible Information Management 


Ponemon Institute is dedicated to independent research and education that advances responsible 
information and privacy management practices within business and government. Our mission is to conduct 
high quality, empirical studies on critical issues affecting the management and security of sensitive 
information about people and organizations. 


We uphold strict data confidentiality, privacy and ethical research standards. We do not collect any 
personally identifiable information from individuals (or company identifiable information in our business 
research). Furthermore, we have strict quality standards to ensure that subjects are not asked extraneous, 
irrelevant or improper questions. 
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